Bot Traffic and Ad Revenue: Why It Doesn't Work

The short answer to "why don't bots just run sites and collect ad revenue?" is that the programmatic advertising ecosystem has built multiple layers of defense against invalid traffic (IVT). The longer answer is that those defenses are leaky enough that ad fraud remains an industry estimated by the World Federation of Advertisers (WFA) to cost advertisers tens of billions per year — figures the WFA has projected could exceed $50B annually by 2025 in a baseline scenario and far higher if left unchecked. ## How the defenses actually work Three commercial verification vendors dominate IVT measurement: Integral Ad Science (IAS), DoubleVerify (DV), and MOAT (acquired by Oracle in 2017 and later wound down inside Oracle Advertising). All three, plus Google's Active View, are accredited by the Media Rating Council (MRC). They sit in two positions in the bidstream: - **Pre-bid filtering** — DSP-integrated segments block bidding on inventory flagged as risky before money is spent. - **Post-bid measurement** — tags fire on rendered ads to confirm a real browser, a real viewport, and a real human-shaped behavior pattern. Under the hood, IVT detection blends: - **Network signals**: datacenter IP ranges, residential-proxy patterns, ASN reputation, impossible geo/velocity combinations. - **Device fingerprinting**: canvas fingerprint, WebGL renderer, font lists, audio context, TLS fingerprint (JA3/JA4), declared vs. actual user agent, and tell-tale automation properties like `navigator.webdriver`, `HeadlessChrome` in the UA string, missing or spoofed plugin arrays. - **Behavioral analysis**: mouse-movement entropy, scroll cadence, dwell time, focus/blur events, click-timing distributions — uniform or impossibly fast inputs flag as non-human. - **Viewability**: the MRC viewability standard only counts a display impression if at least 50% of the ad's pixels are in the viewport for at least 1 second (2 seconds for video; 30% for very large display creatives). Bots that render off-screen or in a 1x1 iframe fail viewability and don't bill. ## Why basic scrapers earn nothing Modern ad slots are populated by a chain of JavaScript: the publisher's ad server, an ad exchange, an SSP, a DSP, and finally a measurement tag. A scraper that just does an HTTP GET and parses HTML never executes any of that, never fires the viewability tag, and never generates a billable impression. Even most headless browser setups (vanilla Puppeteer, Playwright, Selenium) leak signals — `navigator.webdriver === true`, missing chrome runtime objects, default fingerprints — that pre-bid filters immediately flag. ## Why "bots can't make ad money" is mostly but not entirely true The statement is directionally correct but historically wrong as an absolute. The famous counter-examples: - **Methbot** (peak 2016) — a bot network of 800–1,200 dedicated datacenter servers in the US and Netherlands proxied through hundreds of thousands of hijacked IPs. It ran headless browsers tuned to mimic human behavior (working hours, fake Facebook logins, browser extensions, simulated pauses and clicks) against fabricated video pages spoofing premium publishers. White Ops (now HUMAN Security) estimated it generated ~300 million fake video ad views per day, extracting an estimated $3–5M per day from US advertisers at its peak. - **3ve** (active 2013–2018) — a hybrid operation using ~1.7M malware-infected consumer PCs running hidden browsers to load ads on fabricated sites. The FBI, Google, and White Ops dismantled it in 2018; the US DOJ indictment cited at least $29M in stolen ad revenue. These operations succeeded precisely because they did execute JavaScript, did render ads, and did simulate plausible human behavior. The cat-and-mouse game continues today with anti-detect browsers (Kameleo, Multilogin), residential proxies, and stealth frameworks (puppeteer-extra-plugin-stealth, undetected-chromedriver, Nodriver) that patch known fingerprint tells. ## Made-for-advertising sites: the legal grey zone Made-for-advertising (MFA) sites are a different problem. They serve real humans — usually arriving via clickbait, paid social, or low-quality SEO — but the pages are engineered to maximize ad density, refresh rate, and scroll length rather than to deliver content. They pass IVT checks (the traffic is technically human) but waste ad budgets. The Adalytics investigations of 2023, followed up by an Association of National Advertisers (ANA) study, estimated that roughly 15% of the ~$88B US programmatic advertising spend was flowing to MFA inventory, and that nearly every major holding company and DSP was placing brand ads on these sites despite anti-MFA messaging. The Trade Desk and Walmart DSP were notable for showing zero MFA placements in Adalytics' samples. ## CTV: the new fraud frontier Connected TV (CTV) advertising is structurally easier to defraud than display because the device-side measurement is weaker and server-side ad insertion (SSAI) breaks the line between the ad call and the actual viewing device. Pixalate and others have reported IVT rates roughly double when SSAI is in the supply chain. DoubleVerify documented SneakyTerra, an SSAI scheme spoofing over 2 million devices per day and potentially costing advertisers $5M+ per month; the earlier ICEBUCKET operation ran ~1,700 controlled SSAI servers generating up to 1.9 billion fake ad requests per day. CTV bot fraud doesn't need a browser at all — it forges device IDs, app bundle IDs, and the SSAI session metadata. ## Supply-chain transparency: ads.txt and sellers.json The IAB Tech Lab introduced a stack of transparency standards specifically to make domain-spoofing and unauthorized reselling harder: - **ads.txt** (2017) — a plaintext file at `/ads.txt` on the publisher domain listing which SSPs and resellers are authorized to sell that publisher's inventory. Buyers refuse bids that don't match. Killed off most casual domain-spoofing. - **app-ads.txt** — the mobile-app equivalent, fetched from the developer URL declared in the app store listing. - **sellers.json** — published by each SSP/exchange listing every seller account they pay out to, by domain and role (publisher vs. intermediary). - **SupplyChain object** (schain) — an OpenRTB field carried in every bid request that records every hop the impression took from publisher to buyer. Together these let a DSP trace any impression back to a publisher and verify the money trail. They don't stop sophisticated fraud, but they raise the floor. ## The honest summary For a web scraper or hobbyist bot, monetizing via ads is essentially impossible: no JavaScript execution, no viewability, no authorized seller path, instant pre-bid rejection. For an organized criminal operation willing to invest in a real botnet, residential proxies, anti-detect browsers, and behavioral simulation — or to exploit the weaker measurement surface of CTV SSAI — bot-driven ad revenue is empirically achievable and remains a multi-billion-dollar parasitic industry, which is why HUMAN Security, DoubleVerify, IAS, and Pixalate exist as ongoing businesses rather than one-shot fixes.